{{/* KubeDNS is not installed on the bootstrap phase and kube-apiserver will fail on a DNS resolution request */}}
{{/*   because it doesn't know `deckhouse.d8-system.svc` address yet.*/}}
{{- if .Values.global.clusterIsBootstrapped }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: deckhouse-webhook
  {{- include "helm_lib_module_labels" (list . (dict "app" "deckhouse-webhook")) | nindent 2 }}
webhooks:
  - name: modules.deckhouse-webhook.deckhouse.io
    rules:
      - apiGroups:
          - "deckhouse.io"
        apiVersions:
          - "v1alpha1"
        resources:
          - "modules"
        operations:
          - CREATE
          - UPDATE
          - DELETE
        scope: Cluster
    admissionReviewVersions:
      - v1
    matchPolicy: Equivalent
    failurePolicy: Ignore
    sideEffects: None
    clientConfig:
      caBundle: {{ .Values.deckhouse.internal.admissionWebhookCert.ca | b64enc }}
      service:
        name: deckhouse
        namespace: d8-system
        port: 9651
        path: /validate/v1alpha1/modules
  - name: module-configs.deckhouse-webhook.deckhouse.io
    rules:
      - apiGroups:
          - "deckhouse.io"
        apiVersions:
          - "v1alpha1"
        resources:
          - "moduleconfigs"
        operations:
          - CREATE
          - UPDATE
    admissionReviewVersions:
      - v1
    matchPolicy: Equivalent
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      caBundle: {{ .Values.deckhouse.internal.admissionWebhookCert.ca | b64enc }}
      service:
        name: deckhouse
        namespace: d8-system
        port: 9651
        path: /validate/v1alpha1/module-configs
{{- end }}
